Twilio is buying customer data startup Segment for between $3B and $4B

Sources have told TechCrunch that Twilio intends to acquire customer data startup Segment for between $3 and $4 billion. Forbes broke the story on Friday night, reporting a price tag of $3.2 billion.

We have heard from a couple of industry sources that the deal is in the works and could be announced as early as Monday.

Twilio and Segment are both API companies. That means they create an easy way for developers to tap into a specific type of functionality without writing a lot of code. As I wrote in a 2017 article on Segment, it provides a set of APIs to pull together customer data from a variety of sources:

Segment has made a name for itself by providing a set of APIs that enable it to gather data about a customer from a variety of sources like your CRM tool, customer service application and website and pull that all together into a single view of the customer, something that is the goal of every company in the customer information business.

While Twilio’s main focus since it launched in 2008 has been on making it easy to embed communications functionality into any app, it signaled a switch in direction when it released the Flex customer service API in March 2018. Later that same year, it bought SendGrid, an email marketing API company for $2 billion.

Twilio’s market cap as of Friday was an impressive $45 billion. You could see how it can afford to flex its financial muscles to combine Twilio’s core API mission, especially Flex, with the ability to pull customer data with Segment and create customized email or ads with SendGrid.

This could enable Twilio to expand beyond pure core communications capabilities and it could come at the cost of around $5 billion for the two companies, a good deal for what could turn out to be a substantial business as more and more companies look for ways to understand and communicate with their customers in more relevant ways across multiple channels.

As Semil Shah from early stage VC firm Haystack wrote in the company blog yesterday, Segment saw a different way to gather customer data, and Twilio was wise to swoop in and buy it.

Segment’s belief was that a traditional CRM wasn’t robust enough for the enterprise to properly manage its pipe. Segment entered to provide customer data infrastructure to offer a more unified experience. Now under the Twilio umbrella, Segment can continue to build key integrations (like they have for Twilio data), which is being used globally inside Fortune 500 companies already.

Segment was founded in 2011 and raised over $283 million, according to Crunchbase data. Its most recent raise was $175 million in April on a $1.5 billion valuation.

Twilio stock closed at $306.24 per share on Friday up $2.39%.

Segment declined to comment on this story. We also sent a request for comment to Twilio, but hadn’t heard back by the time we published.  If that changes, we will update the story.

The Good, the Bad and the Ugly in Cybersecurity – Week 41

The Good

Praise is being heaped on both Apple and five “white hat” bug bounty researchers this week for some stunning work that led to the fixing of 55 bugs, 11 of which were rated critical, in Apple products and infrastructure. The researchers – Sam Curry, Brett Buerhaus, Ben Sadeghipour, Samuel Erb and Tanner Barnes – spent three months quietly hacking into Apple systems, turning up one zero day bug after another. The most severe bugs included the ability to take over a user’s iCloud account by sending the user a maliciously crafted email. Merely by opening the email – no further clicks or social engineering required – a user would not only have given the attackers full control over their own iCloud account but also caused the wormable exploit to be sent to all of their contacts.

So what makes this such a good news story? There are multiple wins here, for the researchers, for Apple, and for Apple users. First, the researchers themselves took the responsible path and fully disclosed the bugs to Apple. Given the severity of some of these zero days, one can imagine less scrupulous researchers might have been tempted to try and trade some or all of these to third parties for handsome sums. Second, Apple promptly fixed the bugs, sometimes within 48 hours, ensuring that users were not left exposed any longer than absolutely necessary. Apple have said that their logs do not indicate any of these bugs have been exploited in the wild. A third win was for the researchers themselves: Apple are still assessing payout according to the terms of their bug bounty program, but to-date the researchers have received almost $300,000 in rewards, with another $200,000 likely on the way.

And that leads to a bigger win for the security research community at large. There’s been some scepticism about Apple’s bug bounty program in the past, and Apple’s reaction here is exemplary: The researchers were rewarded, allowed to publish the details, and the bugs were fixed in record time. That’s only going to encourage other researchers to engage with Apple’s bug bounty program, and that’s a win for us all.

The Bad

Malware in firmware is a particularly bad thing, but at the same time it’s relatively rare. LoJax made big news back in 2018 as the first UEFI rootkit to be found in the wild, and since then the only other known malware targeting firmware was found in the leak of tools from Italian private intelligence firm “Hacking Team” back in 2015. However, that code hadn’t been seen used in the wild, until now. Researchers this week have published details of an investigation in which they found a modified version of Hacking Team’s “Vector-EDK” malware being used in targeted attacks on diplomats and NGOs from Africa, Asia and Europe.

According to the researchers, the malicious firmware was used to drop a malware executable, “IntelUpdate.exe”, into the victim’s Startup folder, which in turn appears designed to deploy a wider malicious framework dubbed “MosaicRegressor”. The framework’s downloaders contain a variety of mechanisms for contacting the attacker’s C2s, including CURL, WinHTTP API and the BITS transfer interface. Unusually, there is also a POP/SMTP/IMAP mechanism to fetch payloads from hard-coded email addresses, thtgoolnc@mail.ru and thbububugyhb85@mail.ru. Full functionality of the framework and payloads has not yet been ascertained as the researchers were not able to retrieve all components of the malware framework. However, one component, load.rem, appears to be a document stealer targeting the user’s Recent Documents directory.


Source: Securelist

As for how the as-yet unattributed APT group planted the malicious UEFI images, that remains at present unknown, though the options appear to be either via physical access to the machines or through a compromised firmware update mechanism. Given the rarity of UEFI attacks, the full details are certainly worth a read. See these links for background on dumping UEFI and on reversing UEFI images.

The Ugly

For 25,000 Massachusetts school students hoping to recapture some sense of normalcy this fall with return to classes, it turned out to be a disappointing week. A ransomware attack on the Springfield Public Schools district on Thursday has resulted in closure of the schools and the suspension of all learning till further notice.

The attack has affected both bricks-and-mortar schools and all remote learning activities as the district took swift action to contain the ransomware by ordering all school devices to be shut down immediately.

Aside from the students at more than sixty schools, the closures also affect 4,500 teaching and other staff.

It is not yet known which family of ransomware is involved or whether the attack has involved a data breach. An announcement about when learning activities will be able to resume was no more specific than stating it was “anticipated that the risk will be cleared and resolved in the near future.” Let’s hope for the sake of staff, students and families that’s sooner rather than later.


Like this article? Follow us on LinkedIn, Twitter, YouTube or Facebook to see the content we post.

Read more about Cyber Security

How Roblox completely transformed its tech stack

Picture yourself in the role of CIO at Roblox in 2017.

At that point, the gaming platform and publishing system that launched in 2005 was growing fast, but its underlying technology was aging, consisting of a single data center in Chicago and a bunch of third-party partners, including AWS, all running bare metal (nonvirtualized) servers. At a time when users have precious little patience for outages, your uptime was just two nines, or less than 99% (five nines is considered optimal).

Unbelievably, Roblox was popular in spite of this, but the company’s leadership knew it couldn’t continue with performance like that, especially as it was rapidly gaining in popularity. The company needed to call in the technology cavalry, which is essentially what it did when it hired Dan Williams in 2017.

Williams has a history of solving these kinds of intractable infrastructure issues, with a background that includes a gig at Facebook between 2007 and 2011, where he worked on the technology to help the young social network scale to millions of users. Later, he worked at Dropbox, where he helped build a new internal network, leading the company’s move away from AWS, a major undertaking involving moving more than 500 petabytes of data.

When Roblox approached him in mid-2017, he jumped at the chance to take on another major infrastructure challenge. While they are still in the midst of the transition to a new modern tech stack today, we sat down with Williams to learn how he put the company on the road to a cloud-native, microservices-focused system with its own network of worldwide edge data centers.

Scoping the problem

Report: U.S. Cyber Command Behind Trickbot Tricks

A week ago, KrebsOnSecurity broke the news that someone was attempting to disrupt the Trickbot botnet, a malware crime machine that has infected millions of computers and is often used to spread ransomware. A new report Friday says the coordinated attack was part of an operation carried out by the U.S. military’s Cyber Command.

Image: Shuttstock.

On October 2, KrebsOnSecurity reported that twice in the preceding ten days, an unknown entity that had inside access to the Trickbot botnet sent all infected systems a command telling them to disconnect themselves from the Internet servers the Trickbot overlords used to control compromised Microsoft Windows computers.

On top of that, someone had stuffed millions of bogus records about new victims into the Trickbot database — apparently to confuse or stymie the botnet’s operators.

In a story published Oct. 9, The Washington Post reported that four U.S. officials who spoke on condition of anonymity said the Trickbot disruption was the work of U.S. Cyber Command, a branch of the Department of Defense headed by the director of the National Security Agency (NSA).

The Post report suggested the action was a bid to prevent Trickbot from being used to somehow interfere with the upcoming presidential election, noting that Cyber Command was instrumental in disrupting the Internet access of Russian online troll farms during the 2018 midterm elections.

The Post said U.S. officials recognized their operation would not permanently dismantle Trickbot, describing it rather as “one way to distract them for at least a while as they seek to restore their operations.”

Alex Holden, chief information security officer and president of Milwaukee-based Hold Security, has been monitoring Trickbot activity before and after the 10-day operation. Holden said while the attack on Trickbot appears to have cut its operators off from a large number of victim computers, the bad guys still have passwords, financial data and reams of other sensitive information stolen from more than 2.7 million systems around the world.

Holden said the Trickbot operators have begun rebuilding their botnet, and continue to engage in deploying ransomware at new targets.

“They are running normally and their ransomware operations are pretty much back in full swing,” Holden said. “The are not slowing down because they still have a great deal of stolen data.”

Holden added that since news of the disruption first broke a week ago, the Russian-speaking cybercriminals behind Trickbot have been discussing how to recoup their losses, and have been toying with the idea of massively increasing the amount of money demanded from future ransomware victims.

“There is a conversation happening in the back channels,” Holden said. “Normally, they will ask for [a ransom amount] that is something like 10 percent of the victim company’s annual revenues. Now, some of the guys involved are talking about increasing that to 100 percent or 150 percent.”

Grid AI raises $18.6M Series A to help AI researchers and engineers bring their models to production

Grid AI, a startup founded by the inventor of the popular open-source PyTorch Lightning project, William Falcon, that aims to help machine learning engineers work more efficiently, today announced that it has raised an $18.6 million Series A funding round, which closed earlier this summer. The round was led by Index Ventures, with participation from Bain Capital Ventures and firstminute. 

Falcon co-founded the company with Luis Capelo, who was previously the head of machine learning at Glossier. Unsurprisingly, the idea here is to take PyTorch Lightning, which launched about a year ago, and turn that into the core of Grid’s service. The main idea behind Lightning is to decouple the data science from the engineering.

The time argues that a few years ago, when data scientists tried to get started with deep learning, they didn’t always have the right expertise and it was hard for them to get everything right.

“Now the industry has an unhealthy aversion to deep learning because of this,” Falcon noted. “Lightning and Grid embed all those tricks into the workflow so you no longer need to be a PhD in AI nor [have] the resources of the major AI companies to get these things to work. This makes the opportunity cost of putting a simple model against a sophisticated neural network a few hours’ worth of effort instead of the months it used to take. When you use Lightning and Grid it’s hard to make mistakes. It’s like if you take a bad photo with your phone but we are the phone and make that photo look super professional AND teach you how to get there on your own.”

As Falcon noted, Grid is meant to help data scientists and other ML professionals “scale to match the workloads required for enterprise use cases.” Lightning itself can get them partially there, but Grid is meant to provide all of the services its users need to scale up their models to solve real-world problems.

What exactly that looks like isn’t quite clear yet, though. “Imagine you can find any GitHub repository out there. You get a local copy on your laptop and without making any code changes you spin up 400 GPUs on AWS — all from your laptop using either a web app or command-line-interface. That’s the Lightning “magic” applied to training and building models at scale,” Falcon said. “It is what we are already known for and has proven to be such a successful paradigm shift that all the other frameworks like Keras or TensorFlow, and companies have taken notice and have started to modify what they do to try to match what we do.”

The service is now in private beta.

With this new funding, Grid, which currently has 25 employees, plans to expand its team and strengthen its corporate offering via both Grid AI and through the open-source project. Falcon tells me that he aims to build a diverse team, not in the least because he himself is an immigrant, born in Venezuela, and a U.S. military veteran.

“I have first-hand knowledge of the extent that unethical AI can have,” he said. “As a result, we have approached hiring our current 25 employees across many backgrounds and experiences. We might be the first AI company that is not all the same Silicon Valley prototype tech-bro.”

“Lightning’s open-source traction piqued my interest when I first learned about it a year ago,” Index Ventures’ Sarah Cannon told me. “So intrigued in fact I remember rushing into a closet in Helsinki while at a conference to have the privacy needed to hear exactly what Will and Luis had built. I promptly called my colleague Bryan Offutt who met Will and Luis in SF and was impressed by the ‘elegance’ of their code. We swiftly decided to participate in their seed round, days later. We feel very privileged to be part of Grid’s journey. After investing in seed, we spent a significant amount with the team, and the more time we spent with them the more conviction we developed. Less than a year later and pre-launch, we knew we wanted to lead their Series A.”

IBM plans to spin off infrastructure services as a separate $19B business

IBM, a company that originally made its name out of its leadership in building myriad enterprise hardware (quite literally: its name is an abbreviation for International Business Machines), is taking one more step away from that legacy and deeper into the world of cloud services. The company today announced that it plans to spin off its managed infrastructure services unit as a separate public company, a $19 billion business in annual revenues, to help it focus more squarely on newer opportunities in hybrid cloud applications and artificial intelligence.

Infrastructure services include a range of managed services based around legacy infrastructure and digital transformation related to it. It includes things like testing and assembly, but also product engineering and lab services, among other things. A spokesperson confirmed to me that the deal will not include the company’s servers business, only infrastructure services.

IBM said it expects to complete the process — a tax-free spin-off for shareholders — by the end of 2021. It has not yet given a name to “NewCo” but it said that out of the gate the spun-off company will have 90,000 employees, 4,600 big enterprise clients in 115 countries, a backlog of $60 billion in business “and more than twice the scale of its nearest competitor” in the area of infrastructure services.

Others that compete against it include the likes of BMC and Microsoft. The remaining IBM business is about three times as big: it currently generates some $59 billion in annual revenues.

At the same time that IBM announced the news, it also gave some updated guidance for Q3, which it plans to report officially later this month. It said it expects revenues of $17.6 billion, with GAAP diluted earnings per share from continuing operations of $1.89, and operating (non-GAAP) earnings per share of $2.58. As a point of comparison, in Q3 2019 it reported revenues of $18 billion. And last quarter IBM reported revenues of $18.1 billion. Tellingly, the division that contains infrastructure services saw declines last quarter.

The market seems to like the news: IBM shares are trading up some 10% ahead of the market opening.

The move is a significant shift for the company and underscores a bigger sea change in how enterprise IT has evolved and looks to continue changing in the future.

IBM is betting that legacy infrastructure and the servicing of it, while continuing to net revenues, will not grow as it has in the past, and as companies continue with their modernization (or “digital transformation,” as consultants like to refer to it today), they will turn increasingly to outsourced infrastructure and using cloud services, both to run their businesses and to build the services that interface with consumers. IBM, meanwhile, is in a race competing against the likes of Microsoft and Google in cloud services, and so doubling down on that part of the business is another way to focus on it for growth.

But IBM, often referred to as “Big Blue”, is also using the announcement as the start of an effort to streamline its business to spur growth (maybe we’ll have to rename it “Medium Blue”).

“IBM is laser-focused on the $1 trillion hybrid cloud opportunity,” said Arvind Krishna, IBM CEO, in a statement. “Client buying needs for application and infrastructure services are diverging, while adoption of our hybrid cloud platform is accelerating. Now is the right time to create two market-leading companies focused on what they do best. IBM will focus on its open hybrid cloud platform and AI capabilities. NewCo will have greater agility to design, run and modernize the infrastructure of the world’s most important organizations. Both companies will be on an improved growth trajectory with greater ability to partner and capture new opportunities – creating value for clients and shareholders.”

Its $34 billion purchase of Red Hat in 2019 is perhaps its most notable investment in recent times in IBM’s own transformation.

“We have positioned IBM for the new era of hybrid cloud,” said Ginni Rometty, IBM Executive Chairman in a statement. “Our multi-year transformation created the foundation for the open hybrid cloud platform, which we then accelerated with the acquisition of Red Hat. At the same time, our managed infrastructure services business has established itself as the industry leader, with unrivaled expertise in complex and mission-critical infrastructure work. As two independent companies, IBM and NewCo will capitalize on their respective strengths. IBM will accelerate clients’ digital transformation journeys, and NewCo will accelerate clients’ infrastructure modernization efforts. This focus will result in greater value, increased innovation, and faster execution for our clients.”

More to come.

As IBM spins out legacy infrastructure management biz, CEO goes all in on the cloud

When IBM announced this morning that it was spinning out its legacy infrastructure services business, it was a clear signal that new CEO Arvind Krishna, who took the reins in April, was ready to fully commit his company to the cloud.

The move was a continuation of the strategy the company began to put in place when it bought Red Hat in 2018 for the princely sum of $34 billion. That purchase signaled a shift to a hybrid-cloud vision, where some of your infrastructure lives on-premises and some in the cloud — with Red Hat helping to manage it all.

Even as IBM moved deeper into the hybrid cloud strategy, Krishna saw the financial results like everyone else and recognized the need to focus more keenly on that approach. In its most recent earnings report overall IBM revenue was $18.1 billion, down 5.4% compared to the year-ago period. But if you broke out just IBM’s cloud and Red Hat revenue, you saw some more promising results: cloud revenue was up 30 percent to $6.3 billion, while Red Hat-derived revenue was up 17%.

Even more, cloud revenue for the trailing 12 months was $23.5 billion, up 20%.

You don’t need to be a financial genius to see where the company is headed. Krishna clearly saw that it was time to start moving on from the legacy side of IBM’s business, even if there would be some short-term pain involved in doing so. So the executive put his resources into (as they say) where the puck is going. Today’s news is a continuation of that effort.

The managed infrastructure services segment of IBM is a substantial business in its own right, generating $19 billion annually, according to the company, but Krishna was promoted to CEO to clean house, taking over from Ginni Rometti to make hard decisions like this.

While its cloud business is growing, Synergy Research data has IBM public cloud market share mired in single digits with perhaps 4 or 5%. In fact, Alibaba has passed its market share, though both are small compared to the market leaders Amazon, Microsoft and Google.

Like Oracle, another legacy company trying to shift more to the cloud infrastructure business, IBM has a ways to go in its cloud evolution.

As with Oracle, IBM has been chasing the market leaders — Google at 9%, Microsoft 18% and AWS with 33% share of public cloud revenue (according to Synergy) — for years now without much change in its market share. What’s more, IBM competes directly with Microsoft and Google, which are also going after that hybrid cloud business with more success.

While IBM’s cloud revenue is growing, its market share needle is stuck and Krishna understands the need to focus. So, rather than continue to pour resources into the legacy side of IBM’s business, he has decided to spin out that part of the company, allowing more attention for the favored child, the hybrid cloud business.

It’s a sound strategy on paper, but it remains to be seen if it will have a material impact on IBM’s growth profile in the long run. He is betting that it will, but then what choice does he have?

Headroom, which uses AI to supercharge videoconferencing, raises $5M

Videoconferencing has become a cornerstone of how many of us work these days — so much so that one leading service, Zoom, has graduated into verb status because of how much it’s getting used.

But does that mean videoconferencing works as well as it should? Today, a new startup called Headroom is coming out of stealth, tapping into a battery of AI tools — computer vision, natural language processing and more — on the belief that the answer to that question is a clear — no bad Wi-Fi interruption here — “no.”

Headroom not only hosts videoconferences, but then provides transcripts, summaries with highlights, gesture recognition, optimised video quality and more, and today it’s announcing that it has raised a seed round of $5 million as it gears up to launch its freemium service into the world.

You can sign up to the waitlist to pilot it, and get other updates here.

The funding is coming from Anna Patterson of Gradient Ventures (Google’s AI venture fund); Evan Nisselson of LDV Capital (a specialist VC backing companies building visual technologies); Yahoo founder Jerry Yang, now of AME Cloud Ventures; Ash Patel of Morado Ventures; Anthony Goldbloom, the co-founder and CEO of Kaggle.com; and Serge Belongie, Cornell Tech associate dean and professor of Computer Vision and Machine Learning.

It’s an interesting group of backers, but that might be because the founders themselves have a pretty illustrious background with years of experience using some of the most cutting-edge visual technologies to build other consumer and enterprise services.

Julian Green — a British transplant — was most recently at Google, where he ran the company’s computer vision products, including the Cloud Vision API that was launched under his watch. He came to Google by way of its acquisition of his previous startup Jetpac, which used deep learning and other AI tools to analyze photos to make travel recommendations. In a previous life, he was one of the co-founders of Houzz, another kind of platform that hinges on visual interactivity.

Russian-born Andrew Rabinovich, meanwhile, spent the last five years at Magic Leap, where he was the head of AI, and before that, the director of deep learning and the head of engineering. Before that, he too was at Google, as a software engineer specializing in computer vision and machine learning.

You might think that leaving their jobs to build an improved videoconferencing service was an opportunistic move, given the huge surge of use that the medium has had this year. Green, however, tells me that they came up with the idea and started building it at the end of 2019, when the term “COVID-19” didn’t even exist.

“But it certainly has made this a more interesting area,” he quipped, adding that it did make raising money significantly easier, too. (The round closed in July, he said.)

Given that Magic Leap had long been in limbo — AR and VR have proven to be incredibly tough to build businesses around, especially in the short to medium-term, even for a startup with hundreds of millions of dollars in VC backing — and could have probably used some more interesting ideas to pivot to; and that Google is Google, with everything tech having an endpoint in Mountain View, it’s also curious that the pair decided to strike out on their own to build Headroom rather than pitch building the tech at their respective previous employers.

Green said the reasons were two-fold. The first has to do with the efficiency of building something when you are small. “I enjoy moving at startup speed,” he said.

And the second has to do with the challenges of building things on legacy platforms versus fresh, from the ground up.

“Google can do anything it wants,” he replied when I asked why he didn’t think of bringing these ideas to the team working on Meet (or Hangouts if you’re a non-business user). “But to run real-time AI on video conferencing, you need to build for that from the start. We started with that assumption,” he said.

All the same, the reasons why Headroom are interesting are also likely going to be the ones that will pose big challenges for it. The new ubiquity (and our present lives working at home) might make us more open to using video calling, but for better or worse, we’re all also now pretty used to what we already use. And for many companies, they’ve now paid up as premium users to one service or another, so they may be reluctant to try out new and less-tested platforms.

But as we’ve seen in tech so many times, sometimes it pays to be a late mover, and the early movers are not always the winners.

The first iteration of Headroom will include features that will automatically take transcripts of the whole conversation, with the ability to use the video replay to edit the transcript if something has gone awry; offer a summary of the key points that are made during the call; and identify gestures to help shift the conversation.

And Green tells me that they are already also working on features that will be added into future iterations. When the videoconference uses supplementary presentation materials, those can also be processed by the engine for highlights and transcription too.

And another feature will optimize the pixels that you see for much better video quality, which should come in especially handy when you or the person/people you are talking to are on poor connections.

“You can understand where and what the pixels are in a video conference and send the right ones,” he explained. “Most of what you see of me and my background is not changing, so those don’t need to be sent all the time.”

All of this taps into some of the more interesting aspects of sophisticated computer vision and natural language algorithms. Creating a summary, for example, relies on technology that is able to suss out not just what you are saying, but what are the most important parts of what you or someone else is saying.

And if you’ve ever been on a videocall and found it hard to make it clear you’ve wanted to say something, without straight-out interrupting the speaker, you’ll understand why gestures might be very useful.

But they can also come in handy if a speaker wants to know if he or she is losing the attention of the audience: The same tech that Headroom is using to detect gestures for people keen to speak up can also be used to detect when they are getting bored or annoyed and pass that information on to the person doing the talking.

“It’s about helping with EQ,” he said, with what I’m sure was a little bit of his tongue in his cheek, but then again we were on a Google Meet, and I may have misread that.

And that brings us to why Headroom is tapping into an interesting opportunity. At their best, when they work, tools like these not only supercharge videoconferences, but they have the potential to solve some of the problems you may have come up against in face-to-face meetings, too. Building software that actually might be better than the “real thing” is one way of making sure that it can have staying power beyond the demands of our current circumstances (which hopefully won’t be permanent circumstances).

Amid an Embarrassment of Riches, Ransom Gangs Increasingly Outsource Their Work

There’s an old adage in information security: “Every company gets penetration tested, whether or not they pay someone for the pleasure.” Many organizations that do hire professionals to test their network security posture unfortunately tend to focus on fixing vulnerabilities hackers could use to break in. But judging from the proliferation of help-wanted ads for offensive pentesters in the cybercrime underground, today’s attackers have exactly zero trouble gaining that initial intrusion: The real challenge seems to be hiring enough people to help everyone profit from the access already gained.

One of the most common ways such access is monetized these days is through ransomware, which holds a victim’s data and/or computers hostage unless and until an extortion payment is made. But in most cases, there is a yawning gap of days, weeks or months between the initial intrusion and the deployment of ransomware within a victim organization.

That’s because it usually takes time and a good deal of effort for intruders to get from a single infected PC to seizing control over enough resources within the victim organization where it makes sense to launch the ransomware.

This includes pivoting from or converting a single compromised Microsoft Windows user account to an administrator account with greater privileges on the target network; the ability to sidestep and/or disable any security software; and gaining the access needed to disrupt or corrupt any data backup systems the victim firm may have.

Each day, millions of malware-laced emails are blasted out containing booby-trapped attachments. If the attachment is opened, the malicious document proceeds to quietly download additional malware and hacking tools to the victim machine (here’s one video example of a malicious Microsoft Office attachment from the malware sandbox service any.run). From there, the infected system will report home to a malware control server operated by the spammers who sent the missive.

At that point, control over the victim machine may be transferred or sold multiple times between different cybercriminals who specialize in exploiting such access. These folks are very often contractors who work with established ransomware groups, and who are paid a set percentage of any eventual ransom payments made by a victim company.

THE DOCTOR IS IN

Enter subcontractors like “Dr. Samuil,” a cybercriminal who has maintained a presence on more than a dozen top Russian-language cybercrime forums over the past 15 years. In a series of recent advertisements, Dr. Samuil says he’s eagerly hiring experienced people who are familiar with tools used by legitimate pentesters for exploiting access once inside of a target company — specifically, post-exploit frameworks like the closely-guarded Cobalt Strike.

“You will be regularly provided select accesses which were audited (these are about 10-15 accesses out of 100) and are worth a try,” Dr. Samuil wrote in one such help-wanted ad. “This helps everyone involved to save time. We also have private software that bypasses protection and provides for smooth performance.”

From other classified ads he posted in August and September 2020, it seems clear Dr. Samuil’s team has some kind of privileged access to financial data on targeted companies that gives them a better idea of how much cash the victim firm may have on hand to pay a ransom demand. To wit:

“There is huge insider information on the companies which we target, including information if there are tape drives and clouds (for example, Datto that is built to last, etc.), which significantly affects the scale of the conversion rate.

Requirements:
– experience with cloud storage, ESXi.
– experience with Active Directory.
– privilege escalation on accounts with limited rights.

* Serious level of insider information on the companies with which we work. There are proofs of large payments, but only for verified LEADs.
* There is also a private MEGA INSIDE , which I will not write about here in public, and it is only for experienced LEADs with their teams.
* We do not look at REVENUE / NET INCOME / Accountant reports, this is our MEGA INSIDE, in which we know exactly how much to confidently squeeze to the maximum in total.

According to cybersecurity firm Intel 471, Dr. Samuil’s ad is hardly unique, and there are several other seasoned cybercriminals who are customers of popular ransomware-as-a-service offerings that are hiring sub-contractors to farm out some of the grunt work.

“Within the cybercriminal underground, compromised accesses to organizations are readily bought, sold and traded,” Intel 471 CEO Mark Arena said. “A number of security professionals have previously sought to downplay the business impact cybercriminals can have to their organizations.”

“But because of the rapidly growing market for compromised accesses and the fact that these could be sold to anyone, organizations need to focus more on efforts to understand, detect and quickly respond to network compromises,” Arena continued. “That covers faster patching of the vulnerabilities that matter, ongoing detection and monitoring for criminal malware, and understanding the malware you are seeing in your environment, how it got there, and what it has or could have dropped subsequently.”

WHO IS DR. SAMUIL?

In conducting research for this story, KrebsOnSecurity learned that Dr. Samuil is the handle used by the proprietor of multi-vpn[.]biz, a long-running virtual private networking (VPN) service marketed to cybercriminals who are looking to anonymize and encrypt their online traffic by bouncing it through multiple servers around the globe.

Have a Coke and a Molotov cocktail. Image: twitter.com/multivpn

MultiVPN is the product of a company called Ruskod Networks Solutions (a.k.a. ruskod[.]net), which variously claims to be based in the offshore company havens of Belize and the Seychelles, but which appears to be run by a guy living in Russia.

The domain registration records for ruskod[.]net were long ago hidden by WHOIS privacy services. But according to Domaintools.com [an advertiser on this site], the original WHOIS records for the site from the mid-2000s indicate the domain was registered by a Sergey Rakityansky.

This is not an uncommon name in Russia or in many surrounding Eastern European nations. But a former business partner of MultiVPN who had a rather public falling out with Dr. Samuil in the cybercrime underground told KrebsOnSecurity that Rakityansky is indeed Dr. Samuil’s real surname, and that he is a 32- or 33-year-old currently living in Bryansk, a city located approximately 200 miles southwest of Moscow.

Neither Dr. Samuil nor MultiVPN have responded to requests for comment.

Healthcare and Cybersecurity in the Times of Covid-19

Looking back at our post on healthcare and cybercrime back in February, it seems amazing that we were referring to Covid-19 as the “Wuhan Coronavirus.” Back then, no one could have anticipated the impact of the virus on our world. In the 7 months that have passed since, we have witnessed a major shift in the way enterprises, educational institutes and even government agencies work. Almost everyone has shifted to working from home.

Hospitals, care and research facilities, however, are one of the key exceptions to the trend towards remote work, and by necessity have maintained “business as usual.”

The spread of the pandemic meant that these institutes were (and still are) at the forefront of the global human effort to fight the virus. As such, some of us might have imagined that this critical sector would be spared by cybercriminals, but that’s not what has happened. The Covid-19 era is characterized by a steep rise in cyber attacks, from different perpetrators and for different motivations, and the healthcare sector hasn’t been spared.

 

By August, the situation had become so severe that the president of the International Committee of the Red Cross warned the U.N. Security Council about the increase in cyberattacks targeting hospitals: “If hospitals cannot provide life-saving treatment in the middle of a health crisis or an armed conflict, whole communities will suffer”

How Well is Healthcare Cyber Security?

Let’s begin by reviewing the factors that contribute to the healthcare sector being at high risk from cyber threat actors.

Weak infrastructure, under extreme stress

Hospitals’ IT infrastructure is big, complex and oftentimes dated. Hospitals and healthcare facilities have not been required in the past to adhere to stringent cyber regulation in the same way that banks, insurance companies and critical facilities have. Many of them rely on old, legacy systems and lack the qualified manpower to maintain these and face novel security threats. The entire IT infrastructure of hospitals is under extreme stress nowadays, due to remote work and under constraints related to Covid, as well as growing demand for their services.

Rogue devices

In addition, hospitals and care facilities were forced to implement remote monitoring technologies overnight to accommodate Covid patients. This meant that they purchased off the shelf IT, communication equipment (such as home routers), IP cameras and other sensors, all connected to the local networks. This means that alien devices were introduced to sensitive environments without proper due diligence. Many of these devices have default credentials and could serve as an entry point to the network from afar.

Telehealth

Covid also sped the adoption of Telehealth (aka Remote health), health apps and remote monitoring equipment. If we were to speculate, the speed of which these technologies were adopted did not allow for proper penetration testing and verification- meaning that the attack surface has been increased tenfold.

Third-party risks

Healthcare institutes work with a multitude of 3rd party vendors- suppliers, service providers, state and federal agencies, universities and NGOs. This supply chain embodies a significant risk, since it is extremely difficult to ensure that all these providers are up to the same cybersecurity standard, a weakness that attackers often exploit.

Children’s Minnesota, one of the largest children’s healthcare organizations in the US, recently announced that the personal data of more than 160,000 patients may have been compromised due to a previous hack of Blackbaud, a cloud software company.

Even vendors that are specifically hired to assist with security operations can sometimes make mistakes with serious consequences. ELITE EMERGENCY PHYSICIANS, for example, hired a 3rd party vendor to securely dispose of two decades’ worth of medical records. However, the records were instead found discarded in a local dump site, which resulted in a massive data breach of some 550,00 patient details.

Tired staff, weak security culture

It’s no secret that tired, overworked professionals make more errors. This is true for surgery and also for cybersecurity. Healthcare staff don’t exactly have the best cybersecurity practices to begin with: one research found that physicians rarely locked their workstations when walking away to treat a patient even though they were supposed to. Add in the fact that they have been working extra hard for many months, it’s unsurprising that there will be more IT-related mistakes, ones that could put the entire organization in jeopardy.

All the factors discussed above contribute to the fact that healthcare facilities suffer badly from cyber attacks.

How Cyber Attacks on Healthcare Have Intensified During Covid-19

Cyber attacks, and especially ransomware attacks, against hospitals have increased in number and severity over the last 7 to 8 months. At least 41 healthcare providers experienced ransomware attacks in the first half of 2020, and since then, an increasing number of hospitals have been targeted. In the most recent incident, Universal Health Services (UHS), a Fortune 500 hospital and healthcare services provider, was hit by Ryuk Ransomware, that has impacted all of its U.S. sites.

Attacks almost always result in data breaches

Given the more aggressive types of ransomware and other data stealing malware, it’s no wonder that almost every successful cyber attack now results in a data breach. These are financially costly, damage reputation, cause residual damage to patients and inevitably result in a regulatory headache for the breached facility.

The number of records compromised in cyber attacks and data breaches is rising, according to HIPAA Journal:

Costs are also rising. An IBM study found that the average cost of a healthcare data breach stands at around $7.13 million globally and $8.6 million in the United States. This represents a 10.5% year-over-year increase.

First-ever cyber-related casualty

It has long-been speculated that hackers would someday breach a medical device and cause harm to a patient. When that came to pass, the nature of the incident was far more mundane, and far sadder. A patient died after a hospital in the city of Düsseldorf was unable to admit her because its systems had been knocked out by a cyber attack. While in transit to another hospital, the patient died, prompting a murder investigation by local authorities.

Hampering the efforts to find a Covid-19 vaccination

The world is eagerly awaiting a Covid vaccine to help bring about the end of the pandemic, and many research programs are ongoing on many different vaccine technologies. Hackers from China and Russia, however, appear to be taking a “shortcut” by  trying to steal Covid-19 vaccine research. These attempts are slowing down the development process. Sometimes, the disturbance isn’t even intentional: Philadelphia-based software company eResearchTechnology (ERT), which offers software used in hundreds of clinical trials, was hit by a ransomware attack. Its software is used by QVIA, a research organization (CRO) that is assisting AstraZeneca’s COVID-19 vaccine trial.

SentinelOne vs Zerologon (CVE-2020-1472)
Detecting Zerologon activity on the endpoint

Protecting Healthcare Against Cyber Threats

As the healthcare cybersecurity situation degrades, there are some international, national and private initiatives attempting to improve things.

Israel has announced plans for a national program to defend hospitals. In the UK, a fund was set up to provide free government cyber certification and training. It is not only governments that are assisting the healthcare sector, either. CTI-league is an organization comprising more than 3,000 cyber experts that was founded earlier this year and provides free assistance to healthcare facilities fighting cyber attacks. They offer four pro bono services: Neutralization, Prevention, Supporting, Health-related support.

These are great initiatives that should have real impact in places where they can have influence, but no matter how positive and encouraging these initiatives are, it is still mostly up to the healthcare institutes themselves to fight off this offensive.

What Can You Do?

In medicine, it’s often said that an ounce of prevention is worth a pound of cure. This is true in cybersecurity as well. Here are some things that could immediately improve the cybersecurity posture of healthcare facilities:

  • Awareness and email security – many cyber attacks utilize the humans working at healthcare facilities. Better awareness will reduce their chances of downloading suspicious documents or clicking suspicious links. There have been so many examples of recent attacks on healthcare facilities that creating a realistic phishing simulation should not be too difficult.
  • Internet-facing devices – email isn’t the only penetration vector. Many cyber attacks utilize open ports and remote access protocols. This is a pure IT hygiene issue that requires care and attention, but it is doable. Only necessary ports should be opened to the internet. In fact, researchers found vulnerable RDP ports increase the likelihood of a successful ransomware attack by 37%, and certain hackers are specifically stealing and selling RDP credentials on the darkweb.
  • Credentials Theft – once entry is gained, attackers utilize readily-available tools such as Mimikatz to access servers and spread across the network. These utilize aggressive password spraying and other credentials stealing techniques. Having robust passwords will reduce the chances of these succeeding.
  • Endpoint security – endpoints are the critical means of entry to your network and your assets. Having an advanced endpoint security solution on all endpoints and servers is a necessity to improve your healthcare organization’s cybersecurity resilience.

Like this article? Follow us on LinkedIn, Twitter, YouTube or Facebook to see the content we post.

Read more about Cyber Security